[liberationtech] Heml.is - "The Beautiful & Secure Messenger"

Thu Jul 11 13:55:30 PDT 2013

Hi!

On Thu, Jul 11, 2013 at 1:32 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> Even if an attacker were to secretly compromise all of the Tor DAs and
> publish a malicious consensus, the break is only to anonymity, not to
> message privacy.  (Granted, anonymity is a major selling point for Tor
> and that break would be a major problem, but it's still not as severe a
> break as the messaging app compromise.)

Why? If messages are encrypted client side (which is open source) and
server just stores them, then it is exactly the same as with Tor.

Who is saying that they will be running all the servers themselves?
Maybe they will distribute them around different legal jurisdictions.
They are just saying that they you will not be able to deploy your own
versions of it. Like you cannot deploy your own Tor DAs and get all
the Tor clients to use it (automatically). (You can configure your
client to use it, but there is no way that I can start running my Tor
DAs and all Tor clients deployed in the world will start using it as
well. Why not? You are not trusting me? Wouldn't it be better to have
more DAs? I can run it. Oh, I cannot? Tsk tsk tsk.)

Even if Tor DAs were developed as open source, how can we be assured
that they are really running that open source code and not some
compromised version of it?

I hear you what you are saying. That open source is a good (must?)
practice to do when developing security-sensitive servers. But it is
far from enough. The system should work even when servers are
compromised because you cannot ever be sure what exactly is running on
the servers. So if you cannot ever be sure what exactly is running on
the servers, it can be closed source to begin with as well, no? And
you just see it is another piece of untrusted code somewhere in the
Internet.

>> And it does not
>> really matter if the code there is open source or not, because you
>> anyway cannot know if they are really running some particular code
>> there or not.
>
> Being closed source doesn't fix this problem, so how is that a useful
> response to the advice "never trust a closed source privacy app"?

Closed source does not fix the problem of nobody knowing what is
really running on the server, but it allows for a traditional business
model (I agree that there might be new ones which would work, but
maybe they are just not yet known enough or we might even not yet
think up them; and different business models have different business
risks associated with them). And because open source does not fix the
problem of what is running on the server as well, then we might opt
for the variation with business model if this allows high-quality and
highly useable service.

(Of course with closed source you loose the free software freedoms and
you probably get into a vendor lock-in, but if the client is open
source, then you can still have access to your messages. Anyway, this
is another topic.)

Mitar

-- 
http://mitar.tnode.com/
https://twitter.com/mitar_m